Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash chains under attack

Large scale supply chain attack is undergoing on Solana, Tron, Litecoin, and Bitcoin Cash chains as NPM account of a prominent developer has been compromised.

In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example, when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to the hacker.

But in your wallet you’d still see the bad tx and need to approve it; it’s not like you’ll instantly get drained. Furthermore, this will only impact websites that pushed an update since the hacked npm package was published, as other projects will have the old version.

And most projects pin their dependencies, so even if they push an update, they’ll keep using the old safe code. So your wallet is safe, and the effective impact area is much smaller than “all websites,” but since you cannot really know if a project pinned dependencies or if they have some dynamically downloaded dependency (very unlikely), it’s just safer to avoid using crypto / DeFi websites till this blows over and they clean up the bad packages.

What really matters here is supply-chain hygiene on the projects side. If a dapp has strict version pinning and audits its deps, users are fine. The problem is that from the outside you can’t easily tell which projects do this well, which is why a cautious pause on signing until maintainers confirm is the safest move.